package org.wso2.carbon.identity.sso.saml.processors;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml2.core.Response;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.persistence.IdentityPersistenceManager;
import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
import org.wso2.carbon.identity.sso.saml.builders.ErrorResponseBuilder;
import org.wso2.carbon.identity.sso.saml.builders.ResponseBuilder;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOReqValidationResponseDTO;
import org.wso2.carbon.identity.sso.saml.dto.SAMLSSORespDTO;
import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.tenant.TenantManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/sso/saml/processors/AuthnRequestProcessor.class */
public class AuthnRequestProcessor {
    private static Log log = LogFactory.getLog(AuthnRequestProcessor.class);

    public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO, String str, boolean z, String str2) throws Exception {
        try {
            if (!validateIssuer(sAMLSSOAuthnReqDTO)) {
                log.warn("Issuer details are not valid. Issuer details should be registered in advance");
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Issuer details are not valid. Issuer details should be registered in advance");
            }
            if (sAMLSSOAuthnReqDTO.getCertAlias() != null && !SAMLSSOUtil.validateAssertionSignature(sAMLSSOAuthnReqDTO.getAssertionString(), sAMLSSOAuthnReqDTO.getCertAlias(), MultitenantUtils.getTenantDomain(sAMLSSOAuthnReqDTO.getUsername()))) {
                log.warn("Signature Validation Failed for the SAML Assertion.");
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, "Signature Validation Failed for the SAML Assertion.");
            }
            if (sAMLSSOAuthnReqDTO.getSubject() != null && sAMLSSOAuthnReqDTO.getUsername() != null && !sAMLSSOAuthnReqDTO.getUsername().equals(sAMLSSOAuthnReqDTO.getSubject())) {
                log.warn("Provided username does not match with the requested subject");
                return buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "Provided username does not match with the requested subject");
            }
            SSOSessionPersistenceManager persistenceManager = SSOSessionPersistenceManager.getPersistenceManager();
            if (!z && str2.equals(SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD)) {
                TenantManager tenantManager = SAMLSSOUtil.getRealmService().getTenantManager();
                String tenantDomain = MultitenantUtils.getTenantDomain(sAMLSSOAuthnReqDTO.getUsername());
                if (!tenantManager.isTenantActive(tenantManager.getTenantId(tenantDomain))) {
                    log.warn("Unsuccessful login attempt from the tenant : " + tenantDomain);
                    SAMLSSORespDTO buildErrorResponse = buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "login.fail.inactive.tenant");
                    buildErrorResponse.setErrorMsg("login.fail.inactive.tenant");
                    buildErrorResponse.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
                    return buildErrorResponse;
                }
                if (!authenticate(sAMLSSOAuthnReqDTO.getUsername(), sAMLSSOAuthnReqDTO.getPassword())) {
                    log.warn("Authentication Failure, invalid username or password.");
                    SAMLSSORespDTO buildErrorResponse2 = buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "login.fail.message");
                    buildErrorResponse2.setErrorMsg("login.fail.message");
                    buildErrorResponse2.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
                    return buildErrorResponse2;
                }
                SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO = new SAMLSSOServiceProviderDO();
                sAMLSSOServiceProviderDO.setIssuer(sAMLSSOAuthnReqDTO.getIssuer());
                sAMLSSOServiceProviderDO.setAssertionConsumerUrl(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                sAMLSSOServiceProviderDO.setCertAlias(sAMLSSOAuthnReqDTO.getCertAlias());
                sAMLSSOServiceProviderDO.setLogoutURL(sAMLSSOAuthnReqDTO.getLogoutURL());
                persistenceManager.persistSession(str, sAMLSSOAuthnReqDTO.getUsername(), sAMLSSOServiceProviderDO, sAMLSSOAuthnReqDTO.getRpSessionId());
            }
            if (z && str2.equals(SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD)) {
                sAMLSSOAuthnReqDTO.setUsername(persistenceManager.getSessionInfo(str).getSubject());
                persistenceManager.persistSession(str, sAMLSSOAuthnReqDTO.getIssuer(), sAMLSSOAuthnReqDTO.getAssertionConsumerURL(), sAMLSSOAuthnReqDTO.getRpSessionId());
            }
            if (z && str2.equals(SAMLSSOConstants.AuthnModes.OPENID)) {
                SAMLSSOServiceProviderDO sAMLSSOServiceProviderDO2 = new SAMLSSOServiceProviderDO();
                sAMLSSOServiceProviderDO2.setIssuer(sAMLSSOAuthnReqDTO.getIssuer());
                sAMLSSOServiceProviderDO2.setAssertionConsumerUrl(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
                sAMLSSOServiceProviderDO2.setCertAlias(sAMLSSOAuthnReqDTO.getCertAlias());
                sAMLSSOServiceProviderDO2.setLogoutURL(sAMLSSOAuthnReqDTO.getLogoutURL());
                persistenceManager.persistSession(str, sAMLSSOAuthnReqDTO.getUsername(), sAMLSSOServiceProviderDO2, sAMLSSOAuthnReqDTO.getRpSessionId());
            }
            Response buildResponse = new ResponseBuilder().buildResponse(sAMLSSOAuthnReqDTO, str);
            SAMLSSORespDTO sAMLSSORespDTO = new SAMLSSORespDTO();
            sAMLSSORespDTO.setRespString(SAMLSSOUtil.encode(SAMLSSOUtil.marshall(buildResponse)));
            sAMLSSORespDTO.setSessionEstablished(true);
            sAMLSSORespDTO.setAssertionConsumerURL(sAMLSSOAuthnReqDTO.getAssertionConsumerURL());
            sAMLSSORespDTO.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
            return sAMLSSORespDTO;
        } catch (Exception e) {
            log.error("Error processing the authentication request", e);
            SAMLSSORespDTO buildErrorResponse3 = buildErrorResponse(sAMLSSOAuthnReqDTO.getId(), SAMLSSOConstants.StatusCodes.AUTHN_FAILURE, "Authentication Failure, invalid username or password.");
            buildErrorResponse3.setLoginPageURL(sAMLSSOAuthnReqDTO.getLoginPageURL());
            return buildErrorResponse3;
        }
    }

    public SAMLSSOReqValidationResponseDTO process(SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO, String str, String str2, String str3) throws Exception {
        SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO = new SAMLSSOAuthnReqDTO();
        sAMLSSOAuthnReqDTO.setIssuer(sAMLSSOReqValidationResponseDTO.getIssuer());
        sAMLSSOAuthnReqDTO.setAssertionConsumerURL(sAMLSSOReqValidationResponseDTO.getAssertionConsumerURL());
        sAMLSSOAuthnReqDTO.setSubject(sAMLSSOReqValidationResponseDTO.getSubject());
        sAMLSSOAuthnReqDTO.setId(sAMLSSOReqValidationResponseDTO.getId());
        sAMLSSOAuthnReqDTO.setRpSessionId(str2);
        sAMLSSOAuthnReqDTO.setAssertionString(sAMLSSOReqValidationResponseDTO.getAssertionString());
        if (str3.equals(SAMLSSOConstants.AuthnModes.USERNAME_PASSWORD)) {
            sAMLSSOAuthnReqDTO.setUsername(SSOSessionPersistenceManager.getPersistenceManager().getSessionInfo(str).getSubject());
        } else {
            sAMLSSOAuthnReqDTO.setUsername(sAMLSSOReqValidationResponseDTO.getSubject());
        }
        SAMLSSOReqValidationResponseDTO sAMLSSOReqValidationResponseDTO2 = new SAMLSSOReqValidationResponseDTO();
        SAMLSSORespDTO process = process(sAMLSSOAuthnReqDTO, str, true, str3);
        sAMLSSOReqValidationResponseDTO2.setValid(true);
        sAMLSSOReqValidationResponseDTO2.setResponse(process.getRespString());
        sAMLSSOReqValidationResponseDTO2.setAssertionConsumerURL(process.getAssertionConsumerURL());
        sAMLSSOReqValidationResponseDTO2.setLoginPageURL(process.getLoginPageURL());
        return sAMLSSOReqValidationResponseDTO2;
    }

    private SAMLSSORespDTO buildErrorResponse(String str, String str2, String str3) throws Exception {
        SAMLSSORespDTO sAMLSSORespDTO = new SAMLSSORespDTO();
        sAMLSSORespDTO.setRespString(SAMLSSOUtil.encode(SAMLSSOUtil.marshall(new ErrorResponseBuilder().buildResponse(str, str2, str3))));
        sAMLSSORespDTO.setSessionEstablished(false);
        return sAMLSSORespDTO;
    }

    private boolean authenticate(String str, String str2) throws IdentityException {
        try {
            UserRealm realmByUserName = AnonymousSessionUtil.getRealmByUserName(SAMLSSOUtil.getRegistryService(), SAMLSSOUtil.getRealmService(), str);
            if (realmByUserName == null) {
                log.warn("Realm creation failed. Tenant may be inactive or invalid.");
                return false;
            }
            if (!realmByUserName.getUserStoreManager().authenticate(UserCoreUtil.getTenantLessUsername(str), str2)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("user authentication failed due to invalid credentials.");
                return false;
            }
            if (realmByUserName.getAuthorizationManager().isUserAuthorized(UserCoreUtil.getTenantLessUsername(str), "/permission/admin/login", CarbonConstants.UI_PERMISSION_ACTION)) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("User is successfully authenticated.");
                return true;
            }
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Authorization Failure when performing log-in action");
            return false;
        } catch (Exception e) {
            log.error("Error obtaining user realm for authenticating the user", e);
            throw new IdentityException("Error obtaining user realm for authenticating the user", e);
        }
    }

    private boolean validateIssuer(SAMLSSOAuthnReqDTO sAMLSSOAuthnReqDTO) throws IdentityException {
        try {
            SAMLSSOServiceProviderDO serviceProvider = SSOServiceProviderConfigManager.getInstance().getServiceProvider(sAMLSSOAuthnReqDTO.getIssuer());
            if (serviceProvider == null) {
                serviceProvider = IdentityPersistenceManager.getPersistanceManager().getServiceProvider(AnonymousSessionUtil.getSystemRegistryByUserName(SAMLSSOUtil.getRegistryService(), SAMLSSOUtil.getRealmService(), sAMLSSOAuthnReqDTO.getUsername()), sAMLSSOAuthnReqDTO.getIssuer());
            }
            if (serviceProvider == null) {
                return false;
            }
            if (sAMLSSOAuthnReqDTO.getAssertionConsumerURL() == null) {
                sAMLSSOAuthnReqDTO.setAssertionConsumerURL(serviceProvider.getAssertionConsumerUrl());
            }
            sAMLSSOAuthnReqDTO.setLoginPageURL(serviceProvider.getLoginPageURL());
            sAMLSSOAuthnReqDTO.setCertAlias(serviceProvider.getCertAlias());
            sAMLSSOAuthnReqDTO.setUseFullyQualifiedUsernameAsSubject(serviceProvider.isUseFullyQualifiedUsername());
            sAMLSSOAuthnReqDTO.setDoSingleLogout(serviceProvider.isDoSingleLogout());
            sAMLSSOAuthnReqDTO.setLogoutURL(serviceProvider.getLogoutURL());
            sAMLSSOAuthnReqDTO.setDoSignAssertions(serviceProvider.isDoSignAssertions());
            return true;
        } catch (Exception e) {
            log.error("Error validating the issuer", e);
            throw new IdentityException("Error validating the issuer", e);
        }
    }
}
